Help with PicoSearch

How can I ensure that members only use my search engine?

It may be important to your website design that some or all of your search results be viewable by members only, where members are those who have logged into your site. Below we offer a variety of security approachs so you can decide what's right for your level of concern with member authorizing.

Your engine's search results are generated from PicoSearch in response to the user's query. For free accounts, the search results are seen within a page design that you have only some basic control over, via settings in your account manager. For the paid Professional and Premium accounts, you control the results page design by the Customize Template feature in your account manager. The template is still served from PicoSearch's machines, but you can put any code including javascript into that page for more advanced authorization possibilities.

For the most basic security, you can help ensure that only members find your search engine to use simply by putting the search box only on the site pages that members can reach. If you also want your search engine to do double-duty to serve both members and non-members, you can set Partitions. With partitions you can define options for where to search, so that non-members can only search the public sub-section of your site, while members access everything (the ALL partition). Partitions usually create a drop-down menu for choosing where to search, but you can hide the partition choice so the non-member user never even realizes that there was more to search. Just use the phide and psel arguments as described in the Partitions FAQ. The code of the originating search box then determines where the search goes, so the user is silently driven to the area appropriate for them.

Note that if you have directories on your website that are password protected by HTAccess or cookie techniques, you have to tell PicoSearch the password to reach these files when the search engine is being built in the first place. See the "Password Protection and Cookie Setting" section of your account manager to do this. There you will find an option to turn off Concordance for your protected files so that text excerpts of sensitive material won't be seen at all in the search results. This can be a good way to ensure content security while still allowing anyone to find documents on your site. When the user clicks on the search result to see the page on your site, your login authorization code on your own web pages can send non-members to the login entrance before they are allowed to view members-only material.

Usually it's enough that the search result's links back to your site will enforce member login from your own web pages. But if for some reason you need to immediately block non-members from ever even seeing your search results, then you will need to take more aggressive measures than just restricting your search to the members-only pages of your web site. Perhaps your search results page inherently shows valuable information even before the user clicks on a link to return to your site, so that you want to actively kick off non-memebers by redirecting them to your home login page.

What you will need then is to add some code such as javascript to your PicoSearch results template to check member status. The problem will be that if your authorization system depends on server-side includes, and/or checking of cookies that were set from your domain, these techniques will not work from the PicoSearch domain that serves your search results. You need a work-around for the normally desirable fact that PicoSearch is hosted at a different domain from your own site. Here are three options that can work for you, in order of increasing difficulty to implement:

  1. Bring your search engine into your domain by purchasing the private domain feature.

    The Private Domain is the one additional feature that can be purchased to completely mask the PicoSearch domain as a subdomain of your own website. Companies often request this option to turn all the picosearch.com links on the search results page into search.mydomain.com links, making the search engine appear to be hosted at their own servers for the sake of corporate consistency. But in the case of wishing to add cookie-checking javascript to your search results template code, the Private Domain makes this possible. Now your website can set cookies for logged in members that are scoped to your entire domain, so the subdomain of your search results page will be allowed cookie viewing by the browser's own security rules. Just set your cookies to expire within a reasonable timeframe such as a day, and add standard cookie-checking code to your template which redirects the user back to your login if the cookies aren't valid. Your search results will now be secure at the moment of searching. See our Private Domain FAQ for more information on setting this option, and try this web reference site for cookie scoping rules.

  2. Pass an argument from your site that verifies the user is logged in, then set another cookie from PicoSearch to allow continuing search.

    If you don't want to get the Private Domain of the first solution as described above, things will be more complicated. You will need to put javascript on your search results template that takes a signal from your website's search box that the user is logged in, and then you can set another cookie from the Picosearch.com domain to authorize the user for continued searching. PicoSearch offers a series of PICOCALLER arguments that will be respected for whatever values you wish to pass into your search results page. Usually these are used for plugging additional run-time text into your results template, but you could also pick one to represent a logged-in user flag that your javascript will find in the cgi args of the search engine call from your website. You may wish to encode some timestamp into the value so your javascript will expire an old search call, then users can't just bookmark your search engine for future unauthorized use. Invalid search users can then be redirected back to your home login page. This solution is obviously much more do-it-yourself and non-standard than the Private Domain feature approach described above, but it or something like it can certainly be made to work by an experienced web designer.

  3. Consume the search results in datafeed format and build the results page from your domain.

    For the approach that offers the most comprehensive control, at the expense of real programming work on your side, PicoSearch results can be consumed as a datafeed that becomes incorporated into your website's own pages either at the server (XML feed) or in the browser (JSON feed). The datafeed technique is most often used by companies that wish to leave the searching up to PicoSearch, while still interweaving the search results into their own presentation. But since the results become presented from your domain and entirely within your control, the datafeed model can fully integrate with your member authorization system, including cookie checking and server-side includes. The cost is that you must completely build the search results page using some advanced scripting language, so this approach is not for beginners.



Back to FAQs